How to Integrate Keystone with AD (Active Directory) and let all users in AD can use the services of OpenStack on dashboard?
Hi All,
We're trying to integrate Keystone with AD (Active Direcotry).
What we want to achieve is to let all users in AD to login Horizon, and use all services of OpenStack on their own.
We now have a test AD server and the setting is reference to: https://wiki.openstack.org/wiki/HowtoIntegrateKeystonewithAD#How_to_Integrate_Keystone_with_Active_Directory (https://wiki.openstack.org/wiki/Howto...)
After we configured the AD Server and keystone.conf, we can now use keystone commands to get the user lists, role lists, and tenant lists from AD Server.
But when I want to login with the AD user on Horizon, it shows "Unable to authenticate to any available projects."
Does anybody has experience doing this?
My keystone.conf is as below:
[DEFAULT] admin_token = admin log_file = keystone.log log_dir = /var/log/keystone log_config = /etc/keystone/logging.conf
[sql] connection = mysql://keystone:admin@127.0.0.1/keystone
[identity] driver = keystone.identity.backends.ldap.Identity
[catalog] driver = keystone.catalog.backends.sql.Catalog
[token] driver = keystone.token.backends.sql.Token
[policy] driver = keystone.policy.backends.rules.Policy
[ec2] driver = keystone.contrib.ec2.backends.sql.Ec2
[ldap] url = ldap://10.109.37.118:389 user = cn=bill_chen,cn=Users,dc=npt,dc=sd1 password = * suffix = cn=npt,cn=sd1 use_dumb_member = True
user_tree_dn = cn=Users,dc=npt,dc=sd1 user_objectclass = top user_id_attribute = cn user_name_attribute = cn dumb_member = cn=bill_chen,ou=Users,dc=npt,dc=sd1
tenant_tree_dn = ou=Tenants,dc=npt,dc=sd1 tenant_objectclass = top
role_tree_dn = ou=Roles,dc=npt,dc=sd1 role_objectclass = top role_id_attribute = cn role_member_attribute = cn
[filter:debug] paste.filter_factory = keystone.common.wsgi:Debug.factory
[filter:token_auth] paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
[filter:admin_token_auth] paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
[filter:xml_body] paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
[filter:json_body] paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
[filter:user_crud_extension] paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
[filter:crud_extension] paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
[filter:ec2_extension] paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
[filter:s3_extension] paste.filter_factory = keystone.contrib.s3:S3Extension.factory
[filter:url_normalize] paste.filter_factory = keystone.middleware:NormalizingFilter.factory
[filter:stats_monitoring] paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory
[filter:stats_reporting] paste.filter_factory = keystone.contrib.stats:StatsExtension.factory
[app:public_service] paste.app_factory = keystone.service:public_app_factory
[app:admin_service] paste.app_factory = keystone.service:admin_app_factory
[pipeline:public_api] pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service
[pipeline:admin_api] pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service
[app:public_version_service] paste.app_factory = keystone.service:public_version_app_factory
[app:admin_version_service] paste.app_factory = keystone.service:admin_version_app_factory
[pipeline:public_version_api] pipeline = stats_monitoring url_normalize xml_body public_version_service
[pipeline:admin_version_api] pipeline = stats_monitoring url_normalize xml_body admin_version_service
[composite:main] use = egg:Paste#urlmap /v2.0 = public_api / = public_version_api
[composite:admin] use = egg:Paste#urlmap /v2.0 = admin_api
/ = admin_version_api
After configuration on AD Server and keystone.conf, we can now use keystone commands to get the user lists, role lists, and tenant lists from AD Server like below:
keystone --debug --token admin --endpoint http://127.0.0.1:35357/v2.0 user-list
+-----------------------------------------+-----------------------------------------+---------+-------+ | id | name | enabled | email | +-----------------------------------------+-----------------------------------------+---------+-------+ | Administrator | Administrator | | | | Allowed RODC Password Replication Group ...